The browser creates and later verifies the passkey assertion.
Docs · Portal
Passkey setup.
webauthnowner portal
Portal access is passkey-gated.
The owner portal is the browser-facing control surface for lockers. A passkey binds portal access to a hardware-backed credential on the owner's device or security key. No password, TOTP code, or email recovery path is involved.
The passkey unlocks the owner UI; it does not sign gateway envelopes.
Storage operations still use the owner's Ed25519 or secp256k1 signing layer.
Entry
Start enrollment from the owner portal
Portal setup begins in the browser because the credential is created by the device authenticator, not by Nukez.
$ open https://portal.nukez.xyz/owner # first visit starts WebAuthn enrollment# use the browser profile and device you want bound to portal access
Code notes
Open the owner portal from a browser that supports WebAuthn. First-time access starts passkey enrollment before any owner-scoped locker action is available.
A passkey authenticates the human portal session. It is separate from the Ed25519 or secp256k1 key used to authorize gateway envelopes.
Credential
Register a WebAuthn passkey
The browser performs the passkey ceremony and returns a public credential record for future portal login checks.
navigator.credentials.create({ publicKey: { challenge: "<server challenge>", user: { id: "<owner id>", name: "owner@example.com" }, authenticatorSelection: { residentKey: "preferred", userVerification: "required" } }})
Code notes
The browser asks Touch ID, Face ID, a platform authenticator, or a security key to create the credential. Nukez stores the public credential record; the private credential remains on the device or authenticator.
Nukez stores the public credential material needed to verify future assertions. It never receives the private passkey material.
Recovery
Enroll a second trusted authenticator
Add backup devices deliberately so portal access survives a laptop replacement without creating password recovery paths.
Owner portal Security Passkeys Add credential # repeat once per trusted device or security key# remove old credentials before retiring a device
Code notes
Passkeys are per-device unless synced by the user's platform. Add another credential from an already authenticated owner session when a second laptop, phone, or hardware key needs portal access.
The portal supports multiple credentials per owner so recovery can be handled by enrolled authenticators, not passwords.
Passkeys are not signing keys.
A passkey authenticates access to the portal. It is distinct from the keypair used to authorize Nukez gateway envelopes. For the operational model where multiple signing keys coexist under one owner identity, read the multi-keypair guide.